Inside The Vulnerability Disclosure EcosystemReport released by NTIA stakeholders offers new information on how organizations respond to security vulnerabilities - and what researchers think.
1 of 7
A new National Telecommunications and Information Administration (NTIA)-led study of how security researchers and software vendors handle and view vulnerability disclosure provides rare insight into both sides of the equation.
NTIA formed a team of stakeholders from the software industry, security researchers, and industry at large to study how the various players could build a higher level of trust when it comes to disclosing vulnerability information.
“Having more disclosure won’t solve all our security challenges,” says Allan Friedman, director of cybersecurity initiatives at the NTIA. “But it will build a more collaborative environment where organizations can respond to and have good relationships with [stakeholders] in the security field.”
One of the three working groups formed by the NTIA conducted two surveys, one of security researchers and another of software vendors. The researchers survey received 414 responses, and the software vendor study received 285.
On the plus side, 92% of security researchers surveyed say they participate in some form of security disclosure, but 60% say threat of legal action could potentially deter them from working with a vendor to disclose a vulnerability
And while 76% of vendors say they look internally to develop vulnerability handling procedures, only one in three require third parties to develop their own vulnerability handling procedures.
“Cleary there needs to be more work done in working with third parties,” says Friedman. “Especially when so many of the high-profile breaches involved third parties.”
NTIA published three papers from the study, and here are some key takeaways:
Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
1 of 7